KVH INDUSTRIES INC \DE\ - (KVHI)
10-K Filing Date: March 15, 2024
ITEM 1C.Cybersecurity
We have established procedures to assess, identify, and manage material risks from cybersecurity threats and have integrated those procedures into our overall risk management systems and processes.
We have implemented a written information security program ("WISP") to create administrative, technical and physical safeguards at KVH for the protection of confidential information of KVH and its employees and customers and other third parties. The WISP sets forth our procedures for evaluating our electronic and physical methods of collecting, storing, accessing, using, transmitting, and protecting confidential information, including personal information, as defined by federal and state law. We have utilized the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) as a baseline for the WISP procedures in addition to General Data Protection Regulation (GDPR) standards. In addition to our data privacy policy, the WISP policy defines how sensitive and private data are protected. Under our procedures, we perform an annual risk assessment to identify and prioritize key cybersecurity risks, and we update this assessment when we receive information about material new cybersecurity risks. Once we identify material cybersecurity risks, we seek to identify and implement prevention measures. Current prevention measures include, among other things, to the extent we determine to be appropriate for our information systems in light of our financial, personnel and other resources, restricted physical access, restricted systems access, multi-factor authentication, software solutions such as intrusion detection systems, anti-virus, anti-malware, e-mail filtering and quarantining programs, routine system maintenance and updates, backup and recovery systems, routine employee cybersecurity training and testing, and quarterly internal audits. The measures we take may be inadequate to protect us from cybersecurity risks. See “Item 1A. Risk Factors – Risks related to our dependence on third parties and third-party technology – Cybersecurity breaches could disrupt our operations, expose us to liability, damage our reputation, and require us to incur significant costs or otherwise adversely affect our financial results."
We obtain cybersecurity threat intelligence information from law enforcement reports and our cybersecurity operations providers and communicate this information to relevant stakeholders within the organization. We employ third-party cybersecurity operations providers to monitor cybersecurity events and provide rapid responses to any critical events. In addition, we employ contractual provisions to require our third-party information service providers to implement and maintain appropriate security measures over the information we entrust to them. Because of the relatively small size of our information
24
technology workforce, we have limited internal cybersecurity expertise and monitoring capabilities; accordingly, we seek to augment our internal capabilities by engaging larger, well-known third-party service providers with significantly greater cybersecurity capabilities than we possess. Because we rely on their greater expertise, our ability to identify and remediate weaknesses or vulnerabilities in the services they provide is necessarily limited. We have not engaged third parties to assess our cybersecurity defenses or to audit our cybersecurity program, nor have we conducted direct or indirect technical evaluations of the information systems that our third-party service providers use.
Our Information Security Officer ("ISO") is responsible for implementing, supervising and maintaining the WISP, including the implementation of prevention measures. The ISO reports directly to the Chief Technology Officer, who is also our Chief Information Security Officer (“CISO”). The CISO establishes the company-wide system security plan and defines the parameters of users’ access privileges. The CISO has worked in information technology and communications services for over 30 years, starting as a contractor at the Defense Advanced Research Projects Agency of the Department of Defense, managing the design and operation of the DARPA IT network, as the Network Operations Manager. At DARPA, the CISO oversaw the desktop computers, servers, local area networks, and Internet access, including edge security from 1992 to 1998. Since then, the CISO has managed customer network integrations for commercial satellite services at Hughes and at KVH. The CISO also developed a managed security service offering at KVH based on Fortinet technology.
We have also implemented an Incident Response Plan (“IRP”), which provides a set of guidelines on the appropriate responsive actions to take in the event of a cybersecurity incident, depending on the particular facts and circumstances of the incident.
The audit committee assists the Board of Directors in overseeing our cybersecurity program. Both the Board of Directors and the audit committee receive regular reports regarding material cybersecurity developments. In the case of a security incident, the ISO will report the incident directly to the Chief Executive Officer, Chief Technology Officer, Chief Financial Officer and Senior Vice President, General Counsel & Compliance Officer. The breach will then be communicated to the audit committee dependent on the materiality of the incident.
Aside from our general efforts to protect ourselves from global cybersecurity threats, for the period covered by this annual report, management has not identified any risks from cybersecurity threats or cybersecurity incidents that we believe have had a material effect, or that are reasonably likely to have a material effect, on our business strategy, results of operations or financial condition. However, we cannot provide any assurance that they will not be materially affected by such threats or incidents in the future.